SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.
Urs P. Küderli Principal Security Architect Microsoft.
-
date post
21-Dec-2015 -
Category
Documents
-
view
230 -
download
0
Transcript of Urs P. Küderli Principal Security Architect Microsoft.
Anywhere AccessEstablishing End to End Trust
Urs P. KüderliPrincipal Security ArchitectMicrosoft
Flexibility…
Access to information from wherever and wheneverAccess to information on any deviceUser-friendly, transparentLow TCOSecurity
Demand for access
Different access, authentication and authorization systemsDifferent encryption technologiesNo interoperabilityComplexExpensiveSecurity
Escalating threats
Security versus Access
Establish trust…
Trustworthy Computing
Your Processes
Current StrategiesNo Strategy Vision
Integrated Solutions
Defense in Depth
Integrated Identity
SDL and SD3
Threat Mitigation
Point Solutions
Info
rmati
on
Pro
tect
ion
Fire
walls
patc
hin
g
Fire
walls
Anti
-phis
hin
g
Anti
-spyw
are
Anti
-vir
us
Identi
tyM
anagem
ent
Managing Risk, building Trust
phishing
No Policy
viruses
malware
denial of service
data theft
identity theft
End-to-End Trust
“I+4A”
Socia
l
Econom
icTru
ste
d
Sta
ck
Data
People
Software
HardwareIntegrated Protection
SDL &SD3
Defense in
Depth
Threat Mitigatio
n
Polit
ical
Building a trusted Stack
“I+4A”
SDL and SD3
Defensein Depth
ThreatMitigation
Trusted Hardware
SecureFoundation
Core Trust Components
Identity ClaimsAuthentication
AuthorizationAccess Control
MechanismsAudit
Trusted PeopleTrustedStack
Trusted Data
Trusted Software
Integrated Protection
Perimeters and Holes
The hole Picture
The new Picture?
The business case…
The problem…How RAS worked at MSRAS Statistics:
55,000 unique users monthly 850,000 connections/month 45 seconds median time to successfully connect through quarantine1700 Helpdesk calls per month Two Engineers 154 servers
Anywhere Access benefits
Increase AgilityMore easily adapt to changing business needs and workforce trends, including tough new regulatory standards
Boost ProductivityControl IT costs by leveraging existing infrastructure investments
Improve ProtectionProtect critical business information end-to-end and more effectively manage identities across the enterprise
Anywhere Access components (1)
Identity Strong two-factor authenticationRole-based access to resourcesFederation with partners and customersFlexible, pervasive PKI infrastructure
Protection Policy-based security controls and automated remediationLayered endpoint security solutions Secure platformUpdates, anti-malware, firewall verified and controlled by policyAuthenticated transactions via PKI and IPSec/IPv6Endpoint encryption and data access controls
Anywhere Access components (2)
Networks Policy-based network access controls with auto-remediationIPSec support for flexible and secure domain isolationIPv6 for expanded address space and auto-configGateways for older or less-capable platformsAbility to authenticate all network-level transactions
Manageability Define and distribute security and group policiesAsset and configuration managementPatch distribution for applications and OS
Direct Connect Pilot
------------------------------------------------------------------------
------------------------------------------------------------------------
Customer Site
IPv4 Internet
Corporate NetworkIPv6 Network(Dual Stack)
------------------------------------------------------------------
------
IPv4 Packet Clear Text or IPsec Auth
Health Registration(NAP HRA)
DNS& RODC
IPv6Apps
IPv4Apps
Compliant IPv6 Client
Blocks IPsec
VPNServer
Compliant Vista+ Client
Non-CompliantClient
Down-level
VPN
SSL VPN
TeredoRelay
IPv6 Packet – IPsec Encrypted
------------------------------------------------------------------
------
IPv4 Packet Clear or IPsec Auth/Encypt
Dynamic IPsec Tunnel
IPv4 Outer Packet – Clear
Teredo Relay removes outer
packet
NAT-PT
AA brings IT ValueCost Benefits
Reduced MSIT hardware compared to current VPN solutionScalability of Solution Reduced traffic/usage of the Proxies
User Benefits Extends corpnet seamlessly to remote user
No user initiation to connectSingle Sign on Always on
Easy to use; consistent experienceUse Peer to Peer Technologies Security Benefits
Promotes end-to-end host-based securitySystem is always reachable (for scans, Group Policy, patching )Proactive health (always checking for NAP, GPO, can be scanned while remote etc.)
An Integrated Platform
Your MSDN resourcescheck out these websites, blogs & more!
PresentationsTechDays: www.techdays.chMSDN Events: http://www.microsoft.com/switzerland/msdn/de/presentationfinder.mspxMSDN Webcasts: http://www.microsoft.com/switzerland/msdn/de/finder/default.mspx
MSDN EventsMSDN Events: http://www.microsoft.com/switzerland/msdn/de/events/default.mspxSave the date: Tech•Ed 2009 Europe, 9-13 November 2009, Berlin
MSDN Flash (our by weekly newsletter)Subscribe: http://www.microsoft.com/switzerland/msdn/de/flash.mspx
MSDN Team BlogRSS: http://blogs.msdn.com/swiss_dpe_team/Default.aspx
Developer User Groups & CommunitiesMobile Devices: http://www.pocketpc.ch/Microsoft Solutions User Group Switzerland: www.msugs.ch.NET Managed User Group of Switzerland: www.dotmugs.chFoxPro User Group Switzerland: www.fugs.ch
Your TechNet resourcescheck out these websites, blogs & more!
PresentationsTechDays: www.techdays.ch
TechNet EventsTechNet Events: http://technet.microsoft.com/de-ch/bb291010.aspx Save the date: Tech•Ed 2009 Europe, 9-13 November 2009, Berlin
TechNet Flash (our by weekly newsletter)Subscribe: http://technet.microsoft.com/de-ch/bb898852.aspx
Schweizer IT Professional und TechNet BlogRSS: http://blogs.technet.com/chitpro-de/
IT Professional User Groups & CommunitiesSwissITPro User Group: www.swissitpro.ch NT Anwendergruppe Schweiz: www.nt-ag.ch PASS (Professional Association for SQL Server): www.sqlpass.ch
Save the date for tech·days next year!
7. – 8. April 2010Congress Center Basel
Classic Sponsoring Partners
Media Partner
Premium Sponsoring Partners